Section 26 - Public Key Infrastructure

Question 1

What is PKI?

Answer 1

Public Key Infrastructure

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption.

*** This is the system that creates the asymmetric key pairs that consist of those public and private keys that are used in encryption and decryption. As well as managing those key pairs to make sure that they’re valid and can be trusted.

Question 2

What is the difference between PKC, PKE and PKI?

Answer 2

PKC (Public Key Cryptography) is just talking about the encryption and decryption process. It is a small part of the overall PKI (Public Key Infrastructure) architecture.

PKE (Public Key Encryption) is just the asymmetric encryption and decryption piece.

PKI is the system that creates the asymmetric key pairs

Remember that PKI uses PKC to do its function but PKI is the entire system of things that are done to be able to create the secure connection from end to end

Question 3

For PKI to work successfully, we need to have a trusted third party involved. This is known as…?

Answer 3

A certificate authority

Question 4

What do certificate authorities do?

Answer 4

They are going to issue digital certificates and are going to keep the level of trust between all of the certificate authorities around the world

Question 5

What is a digital certificate?

Answer 5

A certificate is a digitally signed electronic document that binds a public key with a user’s identity

*** The user in this case can be a human or a server, work station or device.

Question 6

Certificates commonly use the ____ standard for digital certificates.

Answer 6

X.509

*** This contains the owner’s or user’s information like their name, organization, certificate authority information and their public key.

Question 7

To get a digital certificate for your web server, you have to purchase that certificate from…?

Answer 7

A certificate authority or a registration authority

Question 8

When a certificate is purchased for a server, it’s only applied to…?

Answer 8

one server by default

Question 9

What is a wildcard certificate?

Answer 9

Allows all of the subdomains to use the same public key certificate and have it displayed as valid

*** A bypass for a certificate typically only allows one certificate

Question 10

What is the SAN field?

Answer 10

Subject Alternate Name

This field in a certificate specifies what additional domains and IP addresses are going to be supported by that certificate

Question 11

What is a single sided certificate?

Answer 11

Only one side of this authentication is happening with the certificate

*** When you connect to a website, there’s a secure session that’s established and the server is going to identify itself to your web browser using the server’s digital certificate. You are not required to have your own certificate to be authenticated back to the server.

Question 12

What is a dual-sided certificate?

Answer 12

When an organization requires both the server and the user to validate each other using certificates

Question 13

With digital certificates, each certificate is validated using the concept of…?

Answer 13

Chain of Trust

Moving from the bottom upward

** Think of this like a family tree. Your child would have to go up the family tree through the Chain of trust to get approved.

Question 14

Digital certificates are usually based on the X.509 standard but the certificate itself must be ___ before it can be used.

Answer 14

encoded

Question 15

What are the three different encoding methods under the X.690 standard?

Answer 15

BER
CER
DER

Question 16

What is BER?

Answer 16

Basic Encoding Rules

The original rule set governing the encoding of data structures for certificates

*** BER has the ability to have multiple encoding types which makes it different from CER

Question 17

What is CER?

Answer 17

Canonical Encoding Rules

The restricted version of BER that only allows the use of one encoding type

Question 18

What is DER?

Answer 18

Distinguished Encoding Rules

Another restricted version of BER that only allows one encoding type as well but it has more restrictive rules for length, character strings and how a particular element or digital certificate is stored.

Question 19

What encoding type is most commonly used for X.509 certificates?

Answer 19

DER

Question 20

When dealing with digital certificates you may come across a few different file types on your machine, including…?

Answer 20

PEM
CER
CRT
KEY
P12
PFX
P7B

Question 21

The .pem format is used for…?

Answer 21

Privacy Enhanced Electronic Mail

Uses the DER encoding method

Sometimes is stored as a .cer, .crt, or .key file

Question 22

The .p12 file is going to be used for…?

Answer 22

To store a server certificate, an intermediate certificate, and a private key in one encrypted file

This is called .p12 because it’s a binary format of the PKC system #12 certificate

Question 23

The .pfx file is used for…?

Answer 23

Personal Information Exchange

This is used by Microsoft for release signing. This file is going to contain both private and public keys in it.

Question 24

The .p7b file is used for…?

Answer 24

Used as the basis for S/MIME, the secure email protocol. It is also used for single sign-on.

It is called .p7b because it’s based on the PKCS#7.

Question 25

What is X.509?

Answer 25

Standard used for PKI for digital certificates and contains the owners/users information and the certificate authority’s information

Question 26

For a digital certificate to be issued, a user first has to request a digital certificate from…?

Answer 26

Registration Authority (RA)

Question 27

The RA requests the identifying information from the user and forwards that certificate request up to the…?

Answer 27

Certificate Authority (CA)

Question 28

The ___ ___ creates the digital certificate, including the user’s public key and their identity information, and passes that back to the user.

Answer 28

CA

Question 29

There are many root certificate authorities out there including companies like…?

Answer 29

Verisign, Digisign and many others

Question 30

The root certificate authorities act as a trusted ___ ___ to validate the certificates are being issued to the correct people.

Answer 30

Third party

*** In addition, they also maintain a publicly-accessible copy of that user’s public key and this allows them to have that for use by other users who wish to send them confidential information.

Question 31

What is CRL?

Answer 31

Certificate Revocation List

An online list of digital certificates that the certificate authority has already revoked

This is a list of every certificate EVER revoked.

*** This is usually because the certificate has been compromised.

Question 32

If you want to determine if a certificate was revoked, you would have to use a protocol known as…?

Answer 32

OSCP

Online Certificate Status Protocol

Using its serial number you can determine the revocation status of any digital certificate

This is a status of certificates that provides validity such as good, revoked or unknown.

*** This is an alternative to the CRL

Question 33

What is the difference between OSCP and CRL?

Answer 33

OSCP operates much more quickly and efficiently because it doesn’t use encryption but that also makes it less secure than CRL.

Question 34

OSCP is an alternative to CRL. What is the alternative to OSCP?

Answer 34

OSCP Stapling

Allows the certificate holder to get the OSCP record from the server at a regular interval and include it as part of the SLL or TLS handshake.

This eliminates an additional connection being required at the time of the user’s request and speeds up the secure tunnel creation process.

*** This used to be known as the TLS Certificate Status Request Extension

Question 35

What is a concern with digital certificates?

Answer 35

If an attacker impersonates a server

Question 36

What is public key pinning?

Answer 36

Allows an HTTPS website to resist impersonation attacks from those who are trying to present fraudulent certificates by presenting a set of trusted public keys to the user’s web browser as part of its HTTP header.

Question 37

What is “Key Escrow”?

Answer 37

Occurs when a secure copy of a user’s private key is held just in case that user accidentally loses their key

They essentially store the keys

*** Remember to protect someone from trying to steal those keys you should always have two different administrators be present when a key is being taken out of escrow. This implements the concept of “separation of duties.”

Question 38

What is “Key Recovery Agent”?

Answer 38

A specialized type of software that allows the restoration of a lost or corrupted key to be performed

*** This of it as a backup for all of the certificate authority’s keys in the event of an accident or disaster were to occur.

Question 39

Remember - If a root CA is compromised by an attacker then, every certificate that has been issued by that CA is now considered…?

Answer 39

Compromised

They have to be revoked and reissued.

Question 40

What is the “Web of Trust”?

Answer 40

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

*** One of those issues is, for example, having to pay to get a digital certificate. With Web of Trust two people choose to trust one another and because of that, are able to give that trust to other people. Another example is the system of rating products sold online. You are trusting the rating system of others to give a consensus if what you’re seeing is trustworthy or not.

Question 41

What is a self-signed certificate?

Answer 41

A way to bypassing using a third party to authenticate if something is trustworthy.

*** With these certificates, you’ll notice you will get an error on that web browser that you must elect to trust them and assume the risks associated with that.

Question 42

PGP (Pretty Good Privacy) is an example of Web of Trust. True or False?

Answer 42

True

Where every person who trusts you starts helping to increase your rating and then, as more people know you and trust you, other people are going to know you and trust you.

The same thing kind of happens on Twitter and Facebook and other social media. Google uses this same concept when it’s ranking websites.

Question 43

What is transitive trust?

Answer 43

When X trusts Y and Y trusts Z therefore X trusts Z.

This is because trust flows from the first part through the second party to the third party.

Question 44

Non-repudiations occurs when…?

Answer 44

A sender cannot claim that they didn’t send an email when they did.

Question 45

What is CSR?

Answer 45

Certificate Signing Request

This is what is submitted to the CA (certificate authority) to request a digital certificate